Details
-
Bug
-
Status: Closed
-
Normal
-
Resolution: Fixed
-
None
-
None
-
Froyo
-
3
-
Platform Core 2017-09-05, Server 2017-07-25, Platform Core 2017-08-08, Platform Core 2017-08-22
-
Bug Fix
-
Automate
Description
Currently, the CA code returns the contents of $cadir/ca_crt.pem to agents who hit /v1/certificate/ca, which they do in order to bootstrap a trust relationship. The agents hit this endpoint if there isn't a localcacert on their filesystem, save the results to $ssldir/certs/ca.pem, and use the returned certificate to validate subsequent server connections.
While the agents will happily use a certificate chain at their localcacert location to validate server connections, and puppet cert generate hostname.dom.ain on the master will select and use the correct CA cert out of a chain in ca_crt.pem, the autosigning code errors when it encounters such a file:
Error: Could not request certificate: Error 500 on SERVER: Internal Server Error:
|
java.lang.IllegalArgumentException: The PEM stream must contain exactly 1 certificate
|
I'm open to implementation options, either to permit >1 cert in the file (as puppet cert generate seems to do just fine, presumably by matching the private key to one of the certs in the bundle?) or by allowing a separate file to be returned by the /certificate/ca endpoint which is disconnected from the actual signing cert file.
Attachments
Issue Links
- relates to
-
-
- Resolved
-
-
-
- Closed
-
-
-
- Closed
-
-
SERVER-1317 HTTP CA Tests
-
- Closed
-